CiscoCXSecurity / linikatz

linikatz is a tool to attack AD on UNIX
BSD 3-Clause "New" or "Revised" License
526 stars 81 forks source link

Extract modern ccaches #11

Closed timb-machine closed 3 years ago

timb-machine commented 3 years ago

https://adepts.of0x.cc/kerberos-thievery-linux/

timb-machine commented 3 years ago

The post above show two memory locations to look at, kernel keyrings and in-process structs.

We can tackle the latter simply by looking for libraries that link to libkrb5.so and dumping the process with gcore. We can use @AdeptsOf0xCC's technique to look for krb5_keyblock structs.

Need to dig into the former to see what we can do from a shell script perspective. We'll continue to track the wider re-engineering under #6.